HIPAA: Managing HIPAA Violations in a World of Expanded Access Vera Newkirk, MHA, CHC, CHPC Compliance/Privacy Officer August 30, 2016

Learning Objectives

Discuss efforts to strengthen staff awareness of HIPAA and their obligation to prevent inappropriate access and inappropriate disclosure of protected health information.

Understand the challenges of managing access. Describe the anatomy of a HIPAA violation,

including sources of concern and monitoring activities.

Understand the importance of mitigation and notification requirements, as well as thorough documentation.

#NCHICA2016, @nhrmc

New Hanover Regional Medical Center ~ Who We Are Two Hospital Campus Locations (Wilmington)

NHRMC NHRMC Orthopedic Hospital Rehab Hospital Women & Children’s Hospital NHRMC Behavioral Health Hospital

Several outpatient locations Four emergency departments & ASC Pender Memorial Hospital (CAH) Skilled Nursing Facility NHRMC Home Care NHRMC Physician Group Practices

29 Locations 6 Counties

6100 Employees 651 Medical Staff, 304 mid-level providers Physician Quality Partners (ACO) Joint Ventures & Affiliations

#NCHICA2016, @nhrmc

Corporate Compliance Organization Chart

NHRMC Board of Trustees

Jack Barto, CEO

Vera Newkirk, MHA, CHC, CHPC Compliance/Privacy Officer

NHRMC Board of Trustees Audit Committee

Vickie Futrell, RN, BS, RHIA, CHC, COC Compliance Auditor

Robin Pearsall, RN, COC, CHPC Compliance Auditor

Stephanie Snyder, BS Compliance Auditor

Connie Keen, RN Compliance/Regulatory Coordinator

(.5 fte)

#NCHICA2016, @nhrmc

Background

HIPAA Privacy Rule – Effective 4/14/2003 HIPAA Security Rule – Effective 4/20/2005 Health Breach Notification Rule – Effective 9/23/2009 Modifications to HIPAA Rules – Effective 3/26/2013

#NCHICA2016, @nhrmc

NHRMC Hospital & Outpatient Departments – Interface Diagram

#NCHICA2016, @nhrmc

NHRMC Physician Group – Interface Diagram

#NCHICA2016, @nhrmc

Provision of Security Access

Role-Based Access Minimum Necessary HIPAA Core Team Review

“Expanded Access” Access to “all” patients versus a limited list Remote access Access to full Social Security Number Access to specific reports

#NCHICA2016, @nhrmc

Proactive Measures to Prevent Violations

Staff Education New Hire Orientation Annual Compliance Training Compliance and Privacy Newsletters with

Number of Violations (Quarterly) Huddle board discussions (per the discretion

of the leader) LIVE department education following a HIPAA

violation Privacy Monitoring Activities (Quarterly) HIPAA Core Team Review of Expanded

Access Requests Compliance and Privacy Tracers

(Quarterly)

#NCHICA2016, @nhrmc

Violations of Inappropriate Access

A HIPAA access violation has occurred when a User opens a medical record without a job-related “need to know.”

CALENDAR YEAR NUMBER OF VIOLATIONS

2011 3

2012 2

2013 3

2014 16

2015 12

2016 YTD 26

#NCHICA2016, @nhrmc

Anatomy of a HIPAA Violation

5 Major Steps for Compliance with HIPAA

Detection

Teal 3D Piece Chevron

• Patient or representative

• Privacy monitoring • Co-workers • Internal suspicions • Process failure or

human error

Anatomy of a HIPAA Violation (Cont’d)

#NCHICA2016, @nhrmc

Investigation

Orange 3D Piece Chevron

• Review access audits

• Review medical records

• Consult with manager

• Conduct interview(s)

Anatomy of a HIPAA Violation (Cont’d)

#NCHICA2016, @nhrmc

Documentation

Green 3D Piece Chevron

• Initial complaint • Audit findings • Interviews • Staff education • Conclusion • Sanctions • Notifications

Anatomy of a HIPAA Violation (Cont’d)

#NCHICA2016, @nhrmc

Sanction

Gray 3D Piece Chevron

• Disciplinary actions – Written Warning, Final

Written, or Termination

– No Merit Increase

• Re-education, if applicable

Anatomy of a HIPAA Violation (Cont’d)

#NCHICA2016, @nhrmc

Mitigation

Blue 3D Piece Chevron

• Patient Notification • OCR Notification • Medical Record

Disclosure

Anatomy of a HIPAA Violation (Cont’d)

#NCHICA2016, @nhrmc

Why Do HIPAA Access Violations Occur?

#NCHICA2016, @nhrmc

Reasons Provided By Violators

“I needed to verify my co-worker’s address because the department was sending a get well card.”

“I wasn’t sure what she looked like so I looked her up.”

“My co-worker asked me to look up her test results.” “I didn’t do that. Someone must have used my

computer.”

#NCHICA2016, @nhrmc

Other Discoveries During Investigations

User is related to a relative involved in a car accident. User accessed other patient’s account to find out lab results.

User accessed EMRs for high profile patients and media interests out of curiosity.

User accessed EMR of the former spouse. User accessed EMR of a co-worker(s) or relative(s)

out of concern and/or curiosity. User accessed EMR of co-worker at co-worker’s

request because co-worker knew it was against policy to access own record.

#NCHICA2016, @nhrmc

What More Can We Do?

Random security screensavers Provide real, de-identified HIPAA

scenarios to leaders for huddle board discussions

Strengthen Progressive Discipline Policy

#NCHICA2016, @nhrmc

Questions/Discussion

#NCHICA2016, @nhrmc